Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config jwt-aud should reject invalid URIs #1681

Closed
wolfgangwalther opened this issue Dec 5, 2020 · 2 comments
Closed

config jwt-aud should reject invalid URIs #1681

wolfgangwalther opened this issue Dec 5, 2020 · 2 comments
Labels
bug

Comments

@wolfgangwalther
Copy link
Member

As noted in #1678 (comment) jwt-aud seems to not validate URIs at the moment.

This is unexpected, because accoding to the RFC, this should be of type StringOrUri - and once a : is part of the value, it must be a valid URI. We are validating those with Crypto.JWT: https://hackage.haskell.org/package/jose-0.8.4/docs/Crypto-JWT.html#g:5. Maybe we are not using it correctly.
@laurenceisla
Copy link
Member

I think this is working OK now? The RFC Section-3 mentions that only the URI's schema and path are required (and even still, the path may be empty). With that in mind, these jwt-aud values work:

-- Debugging returns string
"hey"
-- Debugging returns URI
"a:hey"
"a:"
"a://hey"

While these fail and PostgREST does not start:

":hey"
"a//:m"

I must confess I didn't know a: was a valid URI according to the RFC.

@laurenceisla
Copy link
Member

Reopen if i missed something.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wolfgangwalther @laurenceisla